Previously published in the Electronic Healthcare Law Review, October 2011
Canadians have a right to expect safety in the delivery of healthcare in Canada. Electronic healthcare systems should be no exception.
In Canada, we are fortunate to have a variety of protective mechanisms within which health services are delivered, to regulate and protect all aspects of patient safety. Medical device regulations, where those rules apply, form a small but important part of that regulatory environment.
In addition, there is a strong and increasingly disciplined awareness within the eHealth industry in Canada of the requirement to examine and ensure patient safety across other aspects of these systems, and throughout their deployment lifecycle.
The use of computing and communications technologies to improve patient safety and enhance healthcare delivery to patients is also a reasonable expectation of Canadians, and is a growing reality in this country. The positive impacts of modern logistics and resource management, e-prescription and drug-interaction checking supporting physicians, pharmacists and other caregivers, allergy and similar alert notifications, timely and accurate patient identification and transaction- keeping, readily accessible electronically available diagnostic imaging and laboratory results, and similar care enhancements are increasingly available in many jurisdictions. These and other upcoming major changes in information accessibility and use make big differences in the delivery of care to Canadian patients.
Electronic records and health information systems encompass much more than conventional medical devices, providing correct personal identification, accurate communication of test and treatment results and information, secure and complete interactions supporting diagnosis and treatment with clinicians and medical technologies, easy to use home-care devices, and correct sharing of data in various patient e-records. Soon, systems may provide even greater support to clinicians and caregivers, guiding best practices and supporting diagnostic and treatment decisions.
These large-scale integrated and multipurpose health systems include software and hardware that is inherently more complex and which includes greater technical and semantic interoperability challenges, complex multiple interconnectivity requirements, and many levels of security and protections for privacy and appropriate access and audit, than ever before.
The avoidance of the introduction of new risks to patient safety is a paramount concern at all stages of lifecycle of these new systems and their associated health software, from inception and design through development, code generation, specification, site-specific modification, procurement and acquisition, installation, customization, and eventual use, modification, and improvement (and eventual decommissioning and replacement).
The configuration, integration and clinical use of these information and communications systems to enable patient-centred care across multiple sites, hospitals, clinics, physicians and providers, and other agencies is much more complex and involves many more parties and systems than ever before.
Risks associated with these systems have to be proactively identified and managed by clinicians, care-provider organizations, and health informatics professionals as a matter of course, inherent in their development and use, embedded in their thinking and operations — and in a disciplined and thoughtful manner.
Such risks, starting at the design and development stages, need to be understood and mitigated by the right process, attribute and risk management practices and standards, appropriate to the risk and stage in the lifecycle.
As an example, the ISO13485 standard imposed by Health Canada to regulate the design and sale of medical devices in Canada, is a very useful process standard for reducing risk through consistent application of quality management processes in manufacturing. It is applied by hardware and software manufacturers to the production and design/development of devices which are sold in Canada for the purpose of diagnosis and treatment of patients.
That device-centric standard, however useful, is not sufficient to address risk mitigation throughout the entire lifecycle of these larger scale, highly configured, highly interoperable and multi-purpose/multi-party computer and communications systems.
An ISO Technical Report being prepared with major Canadian contributions is being proposed to the ISO Technical Committee (TC215) on Health Informatics to provide guidance on standards which appropriately address a variety of different risks associated with the design, development, configuration, integration, deployment and use/modification of health software.
The Technical Report will identify a proposed suite of standards describing internationally acceptable best practices, either available today or which will be developed, to manage risks across identifiable stages and steps in the lifecycle of health software, across all levels of software from components to applications to enterprise systems.
Even those standards, once identified, adopted and applied by industry, software integrators, healthcare IT departments, system operators and clinician users, will not be sufficient. The people, processes and management of eHealth in Canada will need to continue to embrace our industry's culture of patient safety in the planning, development, delivery and operation of eHealth systems.
The reinforcement of that "patient safety culture" for eHealth software and systems will require ongoing awareness building, training programs, safety assessments, safety incident monitoring, incident reporting without blame, process improvement, and safety certification for both people and systems as appropriate.
We all have to consider the ecology of regulation within which healthcare delivery systems, including software and eHealth systems, operate and ensure that patient safety is one of the paramount goals of all parts of that ecology.
The regulation of patient safety includes licensing, certification, testing and incident reporting, both with respect to people and devices, along the continuum of patient care. But it also includes a thoughtful and deliberate approach to understanding system lifecycles, types of risks and ability to control risks at different steps in the lifecycle, and then training and reinforcing a cultural focus within the human side of these operations which continues to focus on patient safety, without being unduly distracted by efficiencies or particular technologies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
